How can I stop openconnect from changing /etc/resolv.conf?
Use vpn-slice to set up a split tunnel connection wherein your DNS configuration is not modified, and only traffic to a few hosts or IP subnets is routed over the VPN.
It was created for this exact purpose:
I am just using the VPN for a few specific host not for a full Internet connection.
Once you've installed vpn-slice, use it with OpenConnect as a replacement for the standard vpnc-script (you can remove the -v --dump
after you've confirmed that it's working properly):
$ openconnect --script "vpn-slice -v --dump host.you.need.to.access some.other.host" \
vpn-server.your.company.com
This will set the routing tables up so that only traffic to those two particular hosts are routed over the VPN, and will add entries for them to /etc/hosts
. Docs have more details.
(I'm the author of vpn-slice, and one of the main contributors to OpenConnect.)
Create the following script /etc/vpnc/no_resolverupdate.sh
#!/bin/sh
#
#
export INTERNAL_IP4_DNS=
. /usr/share/vpnc-scripts/vpnc-script
Make it executable:
chmod +x /etc/vpnc/no_resolverupdate.sh
Then add a line to your connection configuration file (here /etc/vpnc/customer.conf)
echo 'Script /etc/vpnc/no_resolverupdate.sh' >> /etc/vpnc/customer.conf
Alternatively, you can use script hooks, create /etc/vpnc/connect.d/no_resolverupdate.sh with contents
#!/bin/sh
export INTERNAL_IP4_DNS=
To be applied for every connection.
Does vpnc-script look like this? If so, the belows code is why it changes your /etc/resolv.conf
:
if [ -x /sbin/resolvconf ]; then # Optional tool on Debian, Ubuntu, Gentoo
MODIFYRESOLVCONF=modify_resolvconf_manager
RESTORERESOLVCONF=restore_resolvconf_manager
elif [ -x /sbin/modify_resolvconf ]; then # Mandatory tool on Suse earlier than 11.1
MODIFYRESOLVCONF=modify_resolvconf_suse
RESTORERESOLVCONF=restore_resolvconf_suse
else # Generic for any OS
MODIFYRESOLVCONF=modify_resolvconf_generic
RESTORERESOLVCONF=restore_resolvconf_generic
fi
modify_resolvconf_manager() {
NEW_RESOLVCONF=""
for i in $INTERNAL_IP4_DNS; do
NEW_RESOLVCONF="$NEW_RESOLVCONF
nameserver $i"
done
if [ -n "$CISCO_DEF_DOMAIN" ]; then
NEW_RESOLVCONF="$NEW_RESOLVCONF
domain $CISCO_DEF_DOMAIN"
fi
echo "$NEW_RESOLVCONF" | /sbin/resolvconf -a $TUNDEV
}
The 'dirty' way is make the /etc/resolv.conf
file immutable:
# chattr +i /etc/resolv.conf
The proper way is edit your vpnc-script to make it shouldn't change the /etc/resolv.conf
.